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DETAILED ACTION 

This office action is in response to applicants response filed on 
01/31/2008. 

• Claims 1 , 3, 4 - 6, 9, 1 0, 1 2, 1 4, 1 6 - 1 8, 20, 24, 25, 26, 28, 29 - 31 are amended 
in the instant pending application. 

• Claims 15, 21 - 23, 27 cancelled in the instant pending application. 

• Claims 2, 8, 11, 13 are original in the instant pending application. 

• Claim 7 is previously presented in the instant pending application. 

• Claims 32 - 42 are new claims presented in the instant pending application. 



Response to Arguments 

• Applicants arguments with respect to claims 1 - 42 have been considered but 
are moot in view of the new grounds of rejection, please see the office action 
below. 



Claim Rejections - 35 USC § 103 
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1 . The following is a quotation of 35 U.S.C. 103(a) which forms 
the basis for all obviousness rejections set forth in this Office 
action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the phor art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



Clainn(s) 1-42 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Thomsen (US Patent NO. 7194004 B1) in view 
of Renda et al. (US Patent NO. 7127524 B1) 



Thomsen discloses: 

1. A method, comprising the computer-implemented steps of: 

• in response to the security event, causing the network 
device to acquire a new network address that is selected 
from a second subset of addresses within a second specified 
pool associated with suspected malicious network users 
(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, lines 4 
- 9, the examiner notes that the security event is interpreted 
as if the authentication of the device fails); 

wherein 

• the second subset of addresses is different from the first 
subset of addresses(Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 
63, Col. 12, lines 4-9, the examiner notes that un-trusted 
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and trusted IP addresses are different); and 



• configuring one or more security restrictions witli respect to 
tine selected new network address(Col. 1 1 , lines 23 - 34, 
Col. 11, lines 51 -56 ). 



3. A method as recited in Claim 1 , wherein 

• the network device uses dynamic host control protocol 
(DHCP) to obtain the new network address, and wherein the 
step of causing the network device to acquire the new 
network address comprises resetting a port that is coupled to 
the network device to prompt a user to command the 
network device to request a new network address using 
DHCP(Col. 8, lines 12 - 14, Col. 10, lines 62 - 64 ). 



4. A method as recited in Claim 1 , wherein 

• the network device uses dynamic host control protocol 
(DHCP) to obtain the new network address, and wherein the 
step of causing the network device to acquire the new 
network address comprises issuing a DHCP 
FORCE_RENEW message to the network device(Col. 8, 
lines 12-14, Col. 10, lines 62-64 and Col. 11, lines 56- 
60). 



5. A method as recited in Claim 1 , wherein 
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• the network device uses dynamic liost control protocol 
(DHCP) to obtain the new network address, and wherein the 
step of causing the network device to acquire the new 
network address comprises prompting the network device to 
request a new network address using DHCP(Col. 8, lines 12 
-14, Col. 10, lines 62-64). 



6. A method as recited in Claim 1 , wherein 



• the network device uses dynamic host control protocol 
(DHCP) to obtain the new network address, and wherein the 
step of causing the network device to acquire the new 
network address comprises waiting for expiration of a lease 
for a current network address of the network device (Col. 8, 
lines 12-14, Col. 10, lines 62-64 and Col. 11, lines 56 - 
60). 

7. A method as recited in Claim 1 , wherein 



• the step of causing the network device to acquire the new 
network address comprises the step of providing the network 
device with an IP address that is selected from a plurality of 
IP addresses within a special IP subnet(Col. 5, lines 54 - 65, 
Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9). 



8. A method as recited in Claim 7, further comprising 
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• the step of publishing information describing characteristics 
of the special IP subnet to network service providers(Col. 9, 
lines 36 - 38). 

12. A method as recited in Claim 1, further comprising the steps 
of determining 

• whether a malicious act caused the security event, and if 
not, removing the user from the second specified pool(Col. 
5, lines 54-65, Col. 11, lines 62-63, Col. 12, lines 4 -9). 



13. A method as recited in Claim 1, further comprising 

• the steps of determining whether a malicious act caused the 
security event, wherein a legal user action in the network is 
not determined to be a malicious act if the user is associated 
with a trusted customer of a network service provider(Col. 5, 
lines 54 - 65, Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9). 

14. A method, comprising the computer-implemented steps of: 

• in a security controller that is coupled, through a network, to 
a network device having a first network address assigned 
from a first subset of addresses within a first specified pool 
associated with normal network users(Col. 5, lines 54 - 65, 
Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9): 



• receiving information identifying a security event in the 
network(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); 
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• correlating the security event information witli network user 
information to result in determining a network user 
associated with the network device that caused the security 
event(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); 



• in response to receiving the information identifying the 
security event, placing the user in an elevated risk security 
group by causing the network device to acquire a new 
network address that is selected from a second subset of 
addresses within a second specified pool associated with 
suspected malicious network users(Col. 5, lines 54 - 65, 
Col. 11, lines 62-63, Col. 12, lines 4 -9); 

wherein 

• the second subset of addresses is different from the first 
subset of addresses(Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 
63, Col. 12, lines 4 -9); 

• configuring one or more security restrictions with respect to 
the selected new network address(Col. 11, lines 23 - 34, 
Col. 11, lines 51 -56); 

• determining whether a malicious act caused the security 
event(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4-9, the examiner notes that the security event is 
interpreted as if the authentication of the device fails); 



if a malicious act caused the security event, then providing 
information about the security event or malicious act to a security 



Application/Control Number: 10/797,773 
Art Unit: 2134 



Pages 



decision control ler(Col. 5, lines 54 - 65, Col. 11, lines 62 - 63, 
Col. 12, lines 4-9, the examiner notes that the security event is 
interpreted as if the authentication of the device fails); 



if a malicious act did not cause the security event, then removing 
the user from the elevated risk group(Col. 5, lines 54 - 65, Col. 
11, lines 62 - 63, Col. 12, lines 4-9, the examiner notes that the 
security event is interpreted as if the authentication of the device 
fails). 



16. A method as recited in Claim 14, wherein causing the network 
device to acquire the new network address comprises the steps 
of: 



• re-configuring a dynamic host control protocol (DHCP) 
server to require said server to issue any new network 
address to the network device only from a specified group of 
network addresses that is reserved for users associated with 
elevated user risk(Col. 8, lines 12 - 14, Col. 10, lines 62-64 
and Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 63, Col. 1 2, 
lines 4 - 9 ); 

and 

performing any one of the steps of: 
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(a) resetting a port that is coupled to the network device to trigger 
the network device to request a new network address using 
DHCPQ; 

(b) issuing a DHCP FORCE_RENEW message to the network 
deviceO; 

(c) prompting the network device to request a new network 
address using DHCP(Col. 8, lines 12 - 14, Col. 10, lines 62 - 64); 
or 

(d) waiting for expiration of a lease for the first network address of 
the network device(). 

18. A computer-readable storage medium carrying one or more 
sequences of instructions, which instructions, when executed by 
one or more processors, cause the one or more processors to 
carry out the steps of (Col. 12, lines 43 - 59): 



• in a security controller that is coupled, through a network, to 
a network device having first network address assigned from 
a first subset of addresses within a first specified pool 
associated with normal network users(Col. 5, lines 54 - 65, 
Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9): 



• in response to the security event, causing the network 
device to acquire a new network address that is selected 
from a second subset of addresses within a second specified 
pool associated with suspected malicious network users(Col. 
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5, lines 54-65, Col. 11, lines 62-63, Col. 12, lines 4 -9, 
the examiner notes that the security event is interpreted as if 
the authentication of the device fails); 

wherein 

• the second subset of addresses is different from the first 
subset of addresses(Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 
63, Col. 12, lines 4 -9); 

• and configuring one or more security restrictions with respect 
to the new network address(Col. 1 1 , lines 23 - 34, Col. 1 1 , 
lines 51 - 56). 



19. An apparatus, comprising: 



• in a security controller that is coupled, through a network, to 
a network device having a first network address assigned 
from a first subset of addresses within a first specified pool 
associated with normal network users(Col. 5, lines 54 - 65, 
Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9): 

• means for, in response to the security event, causing the 
network device to acquire a new network address that is 
selected from a second subset of addresses within a second 
specified pool associated with suspected malicious network 
users(Col. 5, lines 54 - 65, Col. 11, lines 62 - 63, Col. 12, lines 4 
- 9, the examiner notes that the security event is interpreted as if 
the authentication of the device fails); 
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wherein 



• the second subset of addresses is different from the first 
subset of addresses(Col. 5, lines 54 - 65, Col. 11, lines 62 - 63, 
Col. 12, lines 4 -9): 



• and means for configuring one or more security restrictions 
with respect to the new network address(CoL 11, lines 23 - 34, 
Col. 11, lines 51 -56). 



20. An apparatus, comprising: 

• a network interface that is coupled to a data network for 
receiving one or more packet flows therefrom(Col. 5, lines 9 - 
17, Col. 1 1 , lines 23 - 34, the firewall or gateway is considered as 
a network interface that is coupled to the data network); 

• a processor(Col. 12, lines 60 - 64); 



• one or more stored sequences of instructions which, when 
executed by the processor, cause the processor to carry out 
the steps of(Col. 12, lines 43 - 49): 

• in a security controller that is coupled, through the data 
network, to a network device having a first network address 
assigned from a first subset of addresses within a first 
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specified pool associated with normal network users(Col. 5, 
lines 54 - 65, Col. 11, lines 62 - 63, Col. 12, lines 4 - 9): 



• in response to the security event, causing the network 
device to acquire a new network address that is selected 
from a second subset of addresses within a second specified 
pool associated with suspected malicious network users(Col. 
5, lines 54 - 65, Col. 11, lines 62 - 63, Col. 12, lines 4-9, the 
examiner notes that the security event is interpreted as if the 
authentication of the device fails); 

wherein 



• the second subset of addresses is different from the first 
subset of addresses(Col. 5, lines 54 - 65, Col. 11, lines 62 - 63, 
Col. 12, lines 4 -9): 



• and configuring one or more security restrictions with respect 
to the new network address(Col. 11, lines 23 - 34, Col. 11, 
lines 51 - 56). 



24. A computer-readable storage medium carrying one or more 
sequences of instructions, which instructions, when executed by 
one or more processors, cause the one or more processors to 
carry out the steps of: 
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• in a security controller that is coupled, through a network, to 
a network device having a first network address assigned 
from a first subset of addresses within a first specified pool 
associated with normal network users(Col. 5, lines 54 - 65, 
Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9): 



• receiving information identifying a security event in the 
network(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); 



• correlating the security event information with network user 
information to result in determining a network user 
associated with the network device that caused the security 
event(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); 



• in response to receiving the information identifying the 
security event, placing the user in an elevated risk security 
group by causing the network device to acquire a new 
network address that is selected from a second subset of 
addresses within a second specified pool associated with 
suspected malicious network users(Col. 5, lines 54 - 65, 
Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9); 



wherein 

• the second subset of addresses is different from the first 
subset of addresses(Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 
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63, Col. 12, lines 4 -9); 



• configuring one or more security restrictions with respect to 
the new network address(Col. 1 1 , lines 23 - 34, Col. 1 1 , 
lines 51 - 56); 



• determining whether a malicious act caused the security 
event(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); 



• if a malicious act caused the security event, then providing 
information about the security event or malicious act to a 
security decision control ler(Col. 5, lines 54 - 65, Col. 11, 
lines 62 - 63, Col. 12, lines 4 - 9); 



• if a malicious act did not cause the security event, then 
removing the user from the elevated risk group(Col. 5, lines 
54-65, Col. 11, lines 62-63, Col. 12, lines 4 -9). 



25. An apparatus comprising 

• in a security controller that is coupled, through a network, to 
a network device having a first network address assigned 
from a first subset of addresses within a first specified pool 
associated with normal network users(Col. 5, lines 54 - 65, 
Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9): 
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• means for receiving information identifying a security event 
in the networl<(Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 63, 
Col. 12, lines 4-9, the examiner notes that the security 
event is interpreted as if the authentication of the device 
fails); 



• means for correlating the security event information with 
network user information to result in determining a network 
user associated with the network device that caused the 
security event(Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 63, 
Col. 12, lines 4 -9); 

• means for, in response to receiving the information 
identifying the security event, placing the user in an elevated 
risk security group by causing the network device to acquire 
a new network address that is selected from a second 
subset of addresses within a second specified pool 
associated with suspected malicious network users(Col. 5, 
lines 54-65, Col. 11, lines 62-63, Col. 12, lines 4 - 9); 

wherein 

• the second subset of addresses is different from the first 
subset of addresses(Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 
63, Col. 12, lines 4 -9); 



• means for configuring one or more security restrictions with 
respect to the new network address(Col. 1 1 , lines 23 - 34, 
Col. 11, lines 51 -56); 
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• means for determining wlietlier a malicious act caused tine 
security event(Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 63, 
Col. 12, lines 4 -9); 



• means for, if a malicious act caused the security event, then 
providing information about the security event or malicious 
act to a security decision controller(Col. 5, lines 54 - 65, Col. 
11, lines 62-63, Col. 12, lines 4 -9); 

• means for, if a malicious act did not cause the security 
event, then removing the user from the elevated risk 
group(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9). 



26. An apparatus, comprising: 

• a network interface that is coupled to a data network for 
receiving one or more packet flows therefrom (Col. 5, lines 9 
- 1 7, Col. 1 1 , lines 23 - 34, the firewall or gateway is 
considered as a network interface that is coupled to the data 
network to allow for packet flow to the data network); 

• a processor(Col. 12, lines 60 - 64); and 

• one or more stored sequences of instructions which, when 
executed by the processor, cause the processor to carry 
out(Col. 12, lines 43 -49): 
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• in a security controller that is coupled, through a network, to 
a network device having a first network address assigned 
from a first subset of addresses within a first specified pool 
associated with normal network users(Col. 5, lines 54 - 65, 
Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9): 

• receiving information identifying a security event in the 
network(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); 

• correlating the security event information with network user 
information to result in determining a network user 
associated with the network device that caused the security 
event(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); 

• in response to receiving the information identifying the 
security event, placing the user in an elevated risk security 
group by causing the network device to acquire a new 
network address that is selected from a second subset of 
addresses within a second specified pool associated with 
suspected malicious network users(Col. 5, lines 54 - 65, 
Col. 1 1 , lines 62 - 63, Col. 1 2, lines 4 - 9); 

wherein 

• the second subset of addresses is different from the first 
subset of addresses(Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 
63, Col. 12, lines 4 -9); 



configuring one or more security restrictions with respect to 
the new network address(Col. 1 1 , lines 23 - 34, Col. 1 1 , 
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lines 51 - 56); 

• determining wlietlier a malicious act caused the security 
event(Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); 

• if a malicious act caused the security event, then providing 
information about the security event or malicious act to a 
security decision control ler(Col. 5, lines 54 - 65, Col. 11, 
lines 62 - 63, Col. 12, lines 4 - 9); 

• if a malicious act did not cause the security event, then 
removing the user from the elevated risk group(Col. 5, lines 
54-65, Col. 11, lines 62-63, Col. 12, lines 4 -9). 



28. The apparatus of claim 26, wherein the instructions which 
when executed cause the network device to acquire a new 
network address comprise further instructions which when 
executed cause: 

• re-configuring a dynamic host control protocol (DHCP) 
server to require said server to issue any new network 
address to the network device only from a specified group of 
network addresses that is reserved for users associated with 
elevated user risk(Col. 8, lines 12 - 14, Col. 10, lines 62 - 64 
and Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); and 
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performing any one of the steps of: 

(a) resetting a port tliat is coupled to tine network device to trigger 
tine networl< device to request a new network address using 
DHCPQ; 

(b) issuing a DHCP FORCE_RENEW message to tine network 
deviceO; 

(c) prompting tine network device to request a new network 
address using DHCP(Col. 8, lines 12 - 14, Col. 10, lines 62 - 64); 
or 

(d) waiting for expiration of a lease for a the first network address 
of the network device(). 

30. The apparatus of claim 20, wherein 

• the network device uses dynamic host control protocol 
(DHCP) to obtain the new network address, and wherein the 
instructions which when executed cause the network device 
to-acquire a new network address comprise instructions 
which when executed cause resetting a port that is coupled 
to the network device to prompt a user to command the 
network device to request a new network address using 
DHCP(Col. 8, lines 12 - 14, Col. 10, lines 62 - 64). 



31 . The apparatus of claim 20, wherein 



• instructions which when executed cause the network device 
to acquire a new network address comprise instructions 
which when executed cause providing the network device 
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with an IP address that is selected from a plurality of IP 
addresses within a special IP subnet(Col. 8, lines 12-14, 
Col. 10, lines 62 - 64 and Col. 12, lines 43 - 49). 



32. The apparatus of claim 20, wherein 

• the network device uses dynamic host control protocol 
(DHCP) to obtain the new network address, and wherein the 
instructions which when executed cause the network device 
to acquire a new network address comprise instructions 
which when executed cause issuing a DHCP 
FORCE_RENEW message to the network device(Col. 1 1 , 
lines 56 - 60). 



33. The computer-readable storage medium of claim 18, wherein 

• the network device uses dynamic host control protocol 
(DHCP) to obtain the new network address, and wherein the 
instructions which, when executed, cause the network 
device to acquire the new network address comprise 
instructions which when executed cause resetting a port that 
is coupled to the network device to prompt a user to 
command the network device to request a new network 
address using DHCP (Col. 8, lines 12 - 14, Col. 10, lines 62 
-64 and Col. 12, lines 43-49). 



34. The computer-readable storage medium of claim 18, wherein 

• the network device uses dynamic host control protocol 
(DHCP) to obtain the new network address, and wherein the 
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instructions which when executed cause the network device 
to acquire the new network address comprise instructions 
which when executed cause issuing a DHCP 
FORCE_RENEW message to the network device (Col. 8, 
lines 12-14, Col. 10, lines 62-64 and Col. 11, lines 56- 
60). 



35. The computer-readable storage medium of claim 18, wherein 

• instructions which when executed cause the network device 
to acquire a new network address comprise instructions 
which when executed cause providing the network device 
with an IP address that is selected from a plurality of IP 
addresses within a special IP subnet(Col. 8, lines 12-14, 
Col. 10, lines 62 - 64 and Col. 12, lines 43 - 49). 



36. The apparatus of claim 19, wherein 

• the network device uses dynamic host control protocol 
(DHCP) to obtain the new network address, and wherein the 
means for causing the network device to acquire the new 
network address comprise means for resetting a port that is 
coupled to the network device to prompt a user to command 
the network device to request a new network address using 
DHCP(Col. 8, lines 12 - 14, Col. 10, lines 62 - 64). 

37. The apparatus of claim 19, wherein 

• the network device uses dynamic host control protocol 
(DHCP) to obtain the new network address, and wherein the 
means for causing the network device to acquire the new 
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network address comprise means for issuing a DHCP 
FORCE_RENEW message to the network device(Col. 8, 
lines 12-14, Col. 10, lines 62-64 and Col. 11, lines 56- 
60). 



38. The apparatus of claim 19, wherein 

• the means for causing the network device to acquire a new 
network address comprise means for providing the network 
device with an IP address that is selected from a plurality of 
IP addresses within a special IP subnet(Col. 8, lines 12 - 
14, Col. 10, lines 62-64). 



39. The computer-readable storage medium of claim 24, wherein 
the instructions which when executed cause the network device to 
acquire a new network address comprise further instructions 
which when executed cause (Col. 12, lines 43 - 59): 



• re-configuring a dynamic host control protocol (DHCP) 
server to require said server to issue any new network 
address to the network device only from a specified group of 
network addresses that is reserved for users associated with 
elevated user risk(Col. 8, lines 12 - 14, Col. 10, lines 62 - 64 
and Col. 5, lines 54-65, Col. 11, lines 62-63, Col. 12, 
lines 4 - 9); 



and performing any one of the steps of: 



Application/Control Number: 10/797,773 
Art Unit: 2134 



Page 23 



(a) resetting a port that is coupled to the network device to trigger 
the network device to request a new network address using 
DHCPQ; 

(b) issuing a DHCP FORCE_RENEW message to the network 
deviceO; 

(c) prompting the network device to request a new network 
address using DHCP(Col. 8, lines 12 - 14, Col. 10, lines 62 - 64); 
or 

(d) waiting for expiration of a lease for the first network address of 
the network device(). 

41 . The apparatus of claim 25, wherein the means for causing the 
network device to acquire a new network address further 
comprise: 



• means for re-configuring a dynamic host control protocol 
(DHCP) server to require said server to issue any new 
network address to the network device only from a specified 
group of network addresses that is reserved for users 
associated with elevated user risk(Col. 8, lines 12-14, Col. 
1 0, lines 62 - 64 and Col. 5, lines 54 - 65, Col. 1 1 , lines 62 - 
63, Col. 12, lines 4 -9); and 



means for performing any one of the steps of: 
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(e) resetting a port that is coupled to the network device to trigger 
the network device to request a new network address using 
DHCPQ; 

(f) issuing a DHCP FORCE_RENEW message to the network 
deviceO; 

(g) prompting the network device to request a new network 
address using DHCP(Col. 8, lines 12 - 14, Col. 10, lines 62 - 64); 
or 

(h) waiting for expiration of a lease for the first network address of 
the network device(). 



Thomsen does not explicitly disclose: 



1. A method, comprising the computer-implemented steps of: 

• in a security controller that is coupled, through a network, to 
a network device having a first network address assigned 
from a first subset of addresses within a first specified pool 
associated with normal network users: 
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• determining a user identifier associated witli tine network 
device tliat lias caused a security event in tine network; 



2. A metliod as recited in Claim 1 , furtlier comprising tine steps of: 



• receiving information identifying tine security event in tine 
network; 

• correlating the security event information with network user 
information to result in determining the user identifier 
associated with the network device. 

9. A method as recited in Claim 1 , wherein 

• the step of configuring security restrictions comprises the 
steps of modifying an internet protocol (IP) access control list 
(ACL) associated with a port that is coupled to the network 
device to permit entry of IP traffic from only the new network 
address. 



10. A method as recited in Claim 1, wherein 

• the step of configuring security restrictions comprises the 
steps of modifying a media access control (MAC) ACL 
associated with a port that is coupled to the network device 
to permit entry of traffic only for a MAC address that is bound 
to the new network address. 
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11 . A method as recited in Claim 1 , further comprising 

• the steps of determining whether a malicious act caused the 
security event, and if so, providing information about the 
security event or malicious act to a security decision 
controller. 



17. A method as recited in Claim 14, wherein the step of 
configuring one or more security restrictions comprises the steps 
of: 



• modifying an internet protocol (IP) access control list (ACL) 
associated with a port that is coupled to the network device 
to permit entry of IP traffic from only the new network 
address; 

• and modifying a media access control (MAC) ACL 
associated with the port to permit entry of traffic only for a 
MAC address that is bound to the new network address. 



18. A computer-readable storage medium carrying one or more 
sequences of instructions, which instructions, when executed by 
one or more processors, cause the one or more processors to 
carry out the steps of: 
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• determining a user identifier associated witli tine network 
device tliat lias caused a security event in tine network(); 



19. An apparatus, comprising: 



• means for determining a user identifier associated witli tine 
network device tliat lias caused a security event in tine 
networkO; 

20. An apparatus, comprising: 



• determining a user identifier associated with the network 
device that has caused a security event in the networkQ; 



29. The apparatus of claim 26, wherein the instructions which 
when executed cause configuring one or more security 
restrictions comprise instructions which when executed cause: 

• modifying an internet protocol (IP) access control list (ACL) 
associated with a port that is coupled to the network device 
to permit entry of IP traffic from only the new network 
address; and 

• modifying a media access control (MAC) ACL associated 
with the port to permit entry of traffic only for a MAC address 
that is bound to the new network address. 
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40. The computer-readable storage medium of claim 24, wherein 
the instructions which when executed cause configuring one or 
more security restrictions comprise instructions which when 
executed cause: 

• modifying an internet protocol (IP) access control list (ACL) 
associated with a port that is coupled to the network device 
to permit entry of IP traffic from only the new network 
address; and 

• modifying a media access control (MAC) ACL associated 
with the port to permit entry of traffic only for a MAC address 
that is bound to the new network address. 

42. The apparatus of claim 25, wherein the means for configuring 
one or more security restrictions comprise: 

• means for modifying an internet protocol (IP) access control 
list (ACL) associated with a port that is coupled to the 
network device to permit entry of IP traffic from only the new 
network address; and 

• means for modifying a media access control (MAC) ACL 
associated with the port to permit entry of traffic only for a 
MAC address that is bound to the new network address. 
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However, Renda discloses: 

1. A method, comprising tine computer-implemented steps of: 

• in a security controller that is coupled, through a network, to 
a network device having a first network address assigned 
from a first subset of addresses within a first specified pool 
associated with normal network users (Col. 8, lines 48 - 58, 
Col. 24, lines 13-23, Col. 25, lines 3-16, Col. 27, Col. 7, 
lines 45 - 62, lines 52 - 57, the examiner notes that the 
security controller is considered the master access controller 
or access controller): 



• determining a user identifier associated with the network 
device that has caused a security event in the network(Col. 
9, lines 45 - 55, Col. 23, lines 31 - 33, Col. 24, lines 3 - 9); 



2. A method as recited in Claim 1, further comprising the steps of: 



• receiving information identifying the security event in the 
network(Col. 7, lines 63 - 67, col. 8, lines 1 - 14); 
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• correlating the security event information witli network user 
information to result in determining the user identifier 
associated with the network device(Col. 7, lines 63 - 67, col. 
8, lines 1 - 14). 

9. A method as recited in Claim 1 , wherein 

• the step of configuring security restrictions comprises the 
steps of modifying an internet protocol (IP) access control list 
(ACL) associated with a port that is coupled to the network 
device to permit entry of IP traffic from only the new network 
address(Col. 10, lines 54 - 64). 



10. A method as recited in Claim 1, wherein 

• the step of configuring security restrictions comprises the 
steps of modifying a media access control (IVIAC) ACL 
associated with a port that is coupled to the network device 
to permit entry of traffic only for a IVIAC address that is bound 
to the new network address(Col. 10, lines 44 - 48). 



1 1 . A method as recited in Claim 1 , further comprising 
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• the steps of determining wlietlier a malicious act caused tine 
security event, and if so, providing information about tine 
security event or malicious act to a security decision 
controller(Col. 7, lines 63 - 67, Col. 8, lines 1 - 14). 



17. A method as recited in Claim 14, wherein the step of 
configuring one or more security restrictions comprises the steps 
of: 



• modifying an internet protocol (IP) access control list (ACL) 
associated with a port that is coupled to the network device 
to permit entry of IP traffic from only the new network 
address(Col. 10, lines 54 - 64); 

• and modifying a media access control (MAC) ACL 
associated with the port to permit entry of traffic only for a 
MAC address that is bound to the new network address(Col. 
10, lines 44-48). 



18. A computer-readable storage medium carrying one or more 
sequences of instructions, which instructions, when executed by 
one or more processors, cause the one or more processors to 
carry out the steps of (Col. 6, lines 4-18, Col. 6, lines 34 - 48): 



determining a user identifier associated with the network 
device that has caused a security event in the network(Col. 
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9, lines 45 - 55, Col. 23, lines 31 - 33, Col. 24, lines 3 - 9); 



19. An apparatus, comprising: 



• means for determining a user identifier associated with the 
network device that has caused a security event in the 
network(Col. 9, lines 45 - 55, Col. 23, lines 31 - 33, Col. 24, 
lines 3 - 9); 



20. An apparatus, comprising: 



• determining a user identifier associated with the network 
device that has caused a security event in the network(Col. 
9, lines 45 - 55, Col. 23, lines 31-33, Col. 24, lines 3 - 9); 



29. The apparatus of claim 26, wherein the instructions which 
when executed cause configuring one or more security 
restrictions comprise instructions which when executed cause: 

• modifying an internet protocol (IP) access control list (ACL) 
associated with a port that is coupled to the network device 
to permit entry of IP traffic from only the new network 
address (Col. 10, lines 54 - 64); and 

• modifying a media access control (MAC) ACL associated 
with the port to permit entry of traffic only for a MAC address 
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that is bound to the new network address (Col. 10, lines 44 - 
48). 



40. The computer-readable storage medium of claim 24, wherein 
the instructions which when executed cause configuring one or 
more security restrictions comprise instructions which when 
executed cause (Col. 6, lines 4-18, Col. 6, lines 34 - 48): 

• modifying an internet protocol (IP) access control list (ACL) 
associated with a port that is coupled to the network device 
to permit entry of IP traffic from only the new network 
address (Col. 10, lines 54 - 64); and 

• modifying a media access control (MAC) ACL associated 
with the port to permit entry of traffic only for a MAC address 
that is bound to the new network address (Col. 10, lines 44 - 
48). 

42. The apparatus of claim 25, wherein the means for configuring 
one or more security restrictions comprise: 

• means for modifying an internet protocol (IP) access control 
list (ACL) associated with a port that is coupled to the 
network device to permit entry of IP traffic from only the new 
network address (Col. 10, lines 54 - 64); and 

• means for modifying a media access control (MAC) ACL 
associated with the port to permit entry of traffic only for a 
MAC address that is bound to the new network address (Col. 
10, lines 44-48). 
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Thomsen and Renda are analogous art because they are from 
the "same field of endeavor," which is the field of secure 
accessing of a network. 



At the time of the invention, it would have been obvious to one of 
ordinary skill in the art, having the teachings of Thomsen and 
Renda before him or her, to modify an electronic device acquiring 
an internet protocol address from a pool of internet protocol 
addresses of known malicious user of the internet of Thomsen to 
include a security controller to judge whether or not the user 
should obtain an address from pool of internet protocol addresses 
that are not associated with malicious user or the user should 
obtain an internet address from a pool of internet protocol 
addresses that are associated with malicious from of Renda. 



The suggestion/motivation for doing so would have been to see 
KSR v. Teleflex, 127 S.Ct. 1727, 1740, 82 USPQ2d 1385, 1396 
(2007) 



Conclusion 
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